Ubuntu
linux package

arch_trigger_all_cpu_backtrace() results in Oops on virtualized guest

Precise (12.04)
Bug #1168350

Bug #1168350 reported by Munehisa Kamata on 2013-04-12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Unassigned
	Precise	Fix Released	Medium	Stefan Bader

Bug Description

SRU Justification:

Impact: The arch_trigger_all_cpu_backtrace tries to notify all other cpus via ipi. For that it looks up an ipi hook from the apic structure without verifying whether that pointer is NULL or not.

Fix: Upstream fixed this by implementing the apic IPI hooks interface. Although some pieces seem to be unclear, this is not changed in upstream kernels since then. So either it does not matter or those pieces are not used. So for now backport the patch introducing the apic interface from upstream (only dropping one unnecessary declaration). This only affects PVM as HVM emulates flat apic completely.

Testcase: To cause a call to arch_trigger_all_cpu_backtrace by:

# echo l > /proc/sysrq-trigger

---

The arch_trigger_all_cpu_backtrace() tries to send NMI to all CPUs via IPI for getting stacktraces from them. But NMI vector is not implemented on virtualized environment(Xen PV) and the function results in Oops.

[4746854.099062] INFO: rcu_sched detected stall on CPU 3 (t=15001 jiffies)
[4746854.099091] BUG: unable to handle kernel paging request at ffffffffff5fb310
[4746854.099100] IP: [<ffffffff81037cf8>] flat_send_IPI_all+0x98/0xd0
[4746854.099116] PGD 1c07067 PUD 1c08067 PMD 1dd4067 PTE 0
[4746854.099126] Oops: 0002 [#1] SMP
[4746854.099134] CPU 3
[4746854.099137] Modules linked in: stallmod(O+) isofs acpiphp
[4746854.099150]
[4746854.099157] Pid: 4752, comm: insmod Tainted: G O 3.2.0-40-virtual #64-Ubuntu
[4746854.099174] RIP: e030:[<ffffffff81037cf8>] [<ffffffff81037cf8>] flat_send_IPI_all+0x98/0xd0
[4746854.099189] RSP: e02b:ffff8803bfd83c68 EFLAGS: 00010046
[4746854.099198] RAX: 0000000000000000 RBX: ffffffff81cd0060 RCX: 000000000003ffff
[4746854.099208] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[4746854.099219] RBP: ffff8803bfd83c88 R08: 000000000003ffff R09: 0000000000000000
[4746854.099229] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000800
[4746854.099240] R13: 000000000f000000 R14: ffff8803bfd8e700 R15: 0000000000000000
[4746854.099256] FS: 00007f456d441700(0000) GS:ffff8803bfd80000(0000) knlGS:0000000000000000
[4746854.099270] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[4746854.099279] CR2: ffffffffff5fb310 CR3: 00000003a4180000 CR4: 0000000000002660
[4746854.099290] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[4746854.099301] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[4746854.099312] Process insmod (pid: 4752, threadinfo ffff8803a48d4000, task ffff8803a6b5c4a0)
[4746854.099323] Stack:
[4746854.099328] 0000000000000000 0000000000002710 ffffffff81c31000 ffffffff81c31100
[4746854.099346] ffff8803bfd83ca8 ffffffff8103333a ffff8803a6e17b00 ffffffff81c31000
[4746854.099363] ffff8803bfd83cc8 ffffffff810df347 ffff8803bfd8e250 ffff8803bfd8eb80
[4746854.099382] Call Trace:
[4746854.099387] <IRQ>
[4746854.099401] [<ffffffff8103333a>] arch_trigger_all_cpu_backtrace+0x5a/0x90
[4746854.099416] [<ffffffff810df347>] check_cpu_stall.isra.35+0x97/0xf0
[4746854.099429] [<ffffffff810df3d8>] __rcu_pending+0x38/0x1d0
[4746854.099439] [<ffffffff810df869>] rcu_check_callbacks+0x79/0x1e0
[4746854.099453] [<ffffffff81078098>] update_process_times+0x48/0x90
[4746854.099466] [<ffffffff8109b864>] tick_sched_timer+0x64/0xc0
[4746854.099480] [<ffffffff8108dfe8>] __run_hrtimer+0x78/0x1f0
[4746854.099491] [<ffffffff8109b800>] ? tick_nohz_handler+0x100/0x100
[4746854.099506] [<ffffffff8105e748>] ? load_balance+0x78/0x370
[4746854.099520] [<ffffffff8108e917>] hrtimer_interrupt+0xf7/0x230
[4746854.099535] [<ffffffff8100a817>] xen_timer_interrupt+0x27/0x40
[4746854.099547] [<ffffffff810d7bb5>] handle_irq_event_percpu+0x55/0x210
[4746854.099561] [<ffffffff813a6f7e>] ? info_for_irq+0xe/0x30
[4746854.099572] [<ffffffff810dae67>] handle_percpu_irq+0x47/0x60
[4746854.099583] [<ffffffff813a6de9>] __xen_evtchn_do_upcall+0x199/0x250
[4746854.099596] [<ffffffff813a8ecf>] xen_evtchn_do_upcall+0x2f/0x50
[4746854.099610] [<ffffffff81661b7e>] xen_do_hypervisor_callback+0x1e/0x30
[4746854.099619] <EOI>
[4746854.099632] [<ffffffff810013aa>] ? hypercall_page+0x3aa/0x1000
[4746854.099645] [<ffffffff810013aa>] ? hypercall_page+0x3aa/0x1000
[4746854.099659] [<ffffffff813a757e>] ? xen_poll_irq_timeout+0x3e/0x50
[4746854.099671] [<ffffffff813a9060>] ? xen_poll_irq+0x10/0x20
[4746854.099683] [<ffffffff8163c200>] ? xen_spin_lock_slow+0x97/0xf2
[4746854.099695] [<ffffffffa000c000>] ? 0xffffffffa000bfff
[4746854.099709] [<ffffffff810121da>] ? xen_spin_lock+0x4a/0x50
[4746854.099722] [<ffffffff816572ce>] ? _raw_spin_lock+0xe/0x20
[4746854.099734] [<ffffffffa000702b>] ? stall+0x2b/0x44 [stallmod]
[4746854.099746] [<ffffffffa000c009>] ? init_module+0x9/0x1000 [stallmod]
[4746854.099758] [<ffffffff81002040>] ? do_one_initcall+0x40/0x180
[4746854.099771] [<ffffffff810a7abe>] ? sys_init_module+0xbe/0x230
[4746854.099783] [<ffffffff8165f8c2>] ? system_call_fastpath+0x16/0x1b

In this case, the function is invoked by RCU based stall detector when it detects stalled CPU(i.e. lockup) in an interrupt context.
Oops in an interrupt context always causes a kernel panic, so this bug sometimes makes debugging a kernel lockup issue difficult.

The function is also invoked from sysrq_handle_showallcpus() that is for getting traces from all active CPUs anytime we want.

# echo l > /pros/sysrq-trigger

This is the easiest way to reproduce this.

[How to fix]
As far as I see, one possible solution is to backport the following patch. This patch is already included in Quantal's kernel.

http://lists.xen.org/archives/html/xen-devel/2012-04/msg01023.html

Another solution is to disable arch_trigger_all_cpu_backtrace() at compile time but I'm still investigating what config is for that.

If you need any other information, please feel free to ask me.

See original description

Tags:

CVE References

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-04-12:

apport.linux-image-3.2.0-40-virtual.9wl95P.apport Edit (186.9 KiB, text/plain)

Revision history for this message

Brad Figg (brad-figg) wrote on 2013-04-12: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1168350

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-04-12:

I attached apport output but it is not meaningful due to the nature of this issue.

Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Joseph Salisbury (jsalisbury) on 2013-04-12

Changed in linux (Ubuntu):
importance:	Undecided → Medium

Joseph Salisbury (jsalisbury) on 2013-04-12

tags:

added: bot-stop-nagging kernel-da-key

Joseph Salisbury (jsalisbury) on 2013-04-12

Changed in linux (Ubuntu Precise):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2013-04-12:

I backported commit f447d56 to Precise and built a test kernel, which can be downloaded from:
http://people.canonical.com/~jsalisbury/lp1168350/

Can you test that kernel and report back if it resolves this bug or not?

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2013-04-12:

Actually, I'm rebuilding the kernels now. They will be posted shortly.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2013-04-12:

A test kernel is now available at:

http://people.canonical.com/~jsalisbury/lp1168350/

Can you test that kernel and report back if it resolves this bug or not?

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-04-13:

Hi Joseph,

It seems that the test kernel resolves this bug.

root@ip-10-121-11-51:~# uname -r
3.2.0-41-generic
root@ip-10-121-11-51:~# dmesg -c > /dev/null
root@ip-10-121-11-51:~# echo l > /proc/sysrq-trigger
root@ip-10-121-11-51:~# dmesg
[4817826.775851] SysRq : Show backtrace of all active CPUs
[4817826.775870] sending NMI to all CPUs:
[4817826.775873] xen: vector 0x2 is not implemented <-------

Same behavior as Quantal's kernel.

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-04-13:

Just in case, the packages should be linux-image-<version>-virtual, not -generic.

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2013-04-18:

I'm glad to hear that commit fixes this bug. However, there are allot of changes in commit f447d56, so it may not be accepted into a stable kernel.

One other option would be for you to use the Quantal LTS Enablement kernel[0]. Would it be possible for you to test the LTS Enablement kernel to see if its and option for you?

[0] https://wiki.ubuntu.com/KernelTeam/Specs/QuantalLTSEnablementStack

Revision history for this message

Ben Howard (darkmuggle-deactivatedaccount) wrote on 2013-04-18:

#10

Joseph -- re Comment #9, this stack trace is seen in on the AWS Cloud Images. Per the kernel team's request, the default kernel for the Cloud Images is based on 3.2. Since the majority of our usage for the Cloud Images is on AWS, I think we have a compelling reason to at least heavily consider this change.

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-04-19:

#11

As Ben mentioned, we found this on EC2 instance and this bug report is intended to 3.2 based LTS kernel.

If smaller and more-specific patch is preferred, please let me know.

Stefan Bader (smb) on 2013-04-23

Changed in linux (Ubuntu):
status:	Confirmed → Fix Released
Changed in linux (Ubuntu Precise):
assignee:	nobody → Stefan Bader (stefan-bader-canonical)
status:	Confirmed → In Progress

Revision history for this message

Stefan Bader (smb) wrote on 2013-04-23:

#12

Looking at the proposed patch, the main portion is to implement the various IPI functions that get added to the APIC interface. There is on bit in xen_send_IPI_mask_allbutself() which I don't understand, but that is still unchanged in upstream code (I will ask about that on xen-devel). But otherwise either not many other places seem to use the IPI indirection via the APIC structure. Or handle NULL pointers more gracefully. There does not seem to be any related fixup changes in the kernel up today either. So I would think it should be safe for acceptance.

Just as a note, the proposed patch was part 1 of a bundle of two which was claimed to fix a certain hang with perf top. If this is observed on Precise EC2 kernels we should probably track it in another bug report. For that patch, there actually was a fixup, so that would be the following two:
- 1ff2b0c303698e486f1e0886b4d9876200ef8ca5
xen: implement IRQ_WORK_VECTOR handler
- 2f1bd67d544d3c086fb5101513f4b6c8f4291b43
xen/smp: unbind irqworkX when unplugging vCPUs

Stefan Bader (smb) on 2013-05-08

description:

updated

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-05-08:

#13

I've updated the description with the simplest testcase.

description:

updated

Revision history for this message

Stefan Bader (smb) wrote on 2013-05-08:

#14

Thanks. Quickly trying this here with just that one patch applied does not cause an oops, but neither does it seem to produce the requested backtrace. Is that sufficient/expected?

Revision history for this message

Munehisa Kamata (kamatam-amazon) wrote on 2013-05-08:

#15

Sounds like that is expected behavior. Sysrq 'l' shows stacktraces only for active CPUs. So it does not show anything if your system do nothing.

Revision history for this message

Stefan Bader (smb) wrote on 2013-05-09:

#16

Actually it seems that no IPI actually was sent. In my local PV domUs as well as on a EC2 64bit micro instance, it looks like the problem does not exist. In dmesg I see:

[ 0.000000] No local APIC present
[ 0.000000] APIC: disable apic facility
[ 0.000000] APIC: switched to apic NOOP

And verifying with a coredump locally, all apic elements are set to the noop_apic. The only PV domU this seems to be relevant is dom0. Was this for dom0 or do I miss something?

Tim Gardner (timg-tpi) on 2013-05-09

Changed in linux (Ubuntu Precise):
status:	In Progress → Fix Committed

Revision history for this message

Stefan Bader (smb) wrote on 2013-05-09:

#17

Ok, I can verify this on dom0. Though right now, this results in "vector 0x2 not implemented" (this is the NMI_VECTOR). And that is not implemented yet in upstream either. So it does not get you the stack traces but at least prevents the oops.
On another note, the two additional patches I mentioned in comment #12 would fix the "perf top" usecase in dom0. Right now I get "vector 0xf6 not implemented" . But that probably should go into a different bug.

Revision history for this message

Brad Figg (brad-figg) wrote on 2013-06-04:

#18

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed' to 'verification-done'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-precise

Steve Conklin (sconklin) on 2013-06-05

tags:

added: verification-done-precise
removed: verification-needed-precise

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-06-13:

#19

Download full text (17.0 KiB)

This bug was fixed in the package linux - 3.2.0-48.74

---------------
linux (3.2.0-48.74) precise; urgency=low

[Steve Conklin]

* Release Tracking Bug
- LP: #1188206

[ Upstream Kernel Changes ]

* iwlwifi: dvm: fix zero LQ CMD sending avoidance
- LP: #1186932

linux (3.2.0-47.72) precise; urgency=low

[Steve Conklin]

* Release Tracking Bug
- LP: #1187066

[ Upstream Kernel Changes ]

This bug was fixed in the package linux - 3.2.0-48.74

---------------
linux (3.2.0-48.74) precise; urgency=low

[Steve Conklin]

* Release Tracking Bug
    - LP: #1188206

[ Upstream Kernel Changes ]

* iwlwifi: dvm: fix zero LQ CMD sending avoidance
    - LP: #1186932

linux (3.2.0-47.72) precise; urgency=low

[Steve Conklin]

* Release Tracking Bug
    - LP: #1187066

[ Upstream Kernel Changes ]

* Revert "drm/i915: Fix detection of base of stolen memory"
    - LP: #1186572
  * mmc: at91/avr32/atmel-mci: fix DMA-channel leak on module unload
    - LP: #1186572
  * mmc: core: Fix bit width test failing on old eMMC cards
    - LP: #1186572
  * mfd: adp5520: Restore mode bits on resume
    - LP: #1186572
  * mmc: atmel-mci: pio hang on block errors
    - LP: #1186572
  * x86: Eliminate irq_mis_count counted in arch_irq_stat
    - LP: #1186572
  * ASoC: wm8994: missing break in wm8994_aif3_hw_params()
    - LP: #1186572
  * ath9k: fix key allocation error handling for powersave keys
    - LP: #1186572
  * nfsd4: don't allow owner override on 4.1 CLAIM_FH opens
    - LP: #1186572
  * net/eth/ibmveth: Fixup retrieval of MAC address
    - LP: #1186572
  * ext4: limit group search loop for non-extent files
    - LP: #1186572
  * xen/vcpu/pvhvm: Fix vcpu hotplugging hanging.
    - LP: #1186572
  * autofs - remove autofs dentry mount check
    - LP: #1186572
  * ALSA: HDA: Fix Oops caused by dereference NULL pointer
    - LP: #1186572
  * iscsi-target: Fix processing of OOO commands
    - LP: #1186572
  * ACPICA: Fix possible buffer overflow during a field unit read operation
    - LP: #1186572
  * B43: Handle DMA RX descriptor underrun
    - LP: #1186572
  * mwifiex: clear is_suspended flag when interrupt is received early
    - LP: #1186572
  * mwifiex: fix memory leak issue when driver unload
    - LP: #1186572
  * mwifiex: fix setting of multicast filter
    - LP: #1186572
  * cifs: only set ops for inodes in I_NEW state
    - LP: #1186572
  * hp_accel: Ignore the error from lis3lv02d_poweron() at resume
    - LP: #1186572
  * KVM: VMX: fix halt emulation while emulating invalid guest sate
    - LP: #1186572
  * dm snapshot: fix error return code in snapshot_ctr
    - LP: #1186572
  * dm bufio: avoid a possible __vmalloc deadlock
    - LP: #1186572
  * tick: Cleanup NOHZ per cpu data on cpu down
    - LP: #1186572
  * ACPI / EC: Restart transaction even when the IBF flag set
    - LP: #1186572
  * drm/radeon: check incoming cliprects pointer
    - LP: #1186572
  * staging: vt6656: use free_netdev instead of kfree
    - LP: #1186572
  * hwmon: fix error return code in abituguru_probe()
    - LP: #1186572
  * Kirkwood: Enable PCIe port 1 on QNAP TS-11x/TS-21x
    - LP: #1186572
  * avr32: fix relocation check for signed 18-bit offset
    - LP: #1186572
  * powerpc/pseries: Fix partition migration hang in stop_topology_update
    - LP: #1186572
  * powerpc: Bring all threads online prior to migration/hibernation
    - LP: #1186572
  * timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE
    - LP: #1186572
  * tg3: Skip powering down function 0 on certain serdes devices
    - LP: #1186572
  * USB: xHCI: override bogus bulk wMaxPacketSize values
    - LP: #1186572
  * USB: UHCI: fix for suspend of virtual HP controller
    - LP: #1186572
  * tracing: Fix leaks of filter preds
    - LP: #1186572
  * usermodehelper: check subprocess_info->path != NULL
    - LP: #1186572
  * drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory
    overflow
    - LP: #1186572
  * ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex
    - LP: #1186572
  * USB: reset resume quirk needed by a hub
    - LP: #1186572
  * usb: option: Add Telewell TW-LTE 4G
    - LP: #1186572
  * USB: Blacklisted Cinterion's PLxx WWAN Interface
    - LP: #1186572
  * USB: option: add device IDs for Dell 5804 (Novatel E371) WWAN card
    - LP: #1186572
  * i2c: designware: always clear interrupts before enabling them
    - LP: #1186572
  * USB: ftdi_sio: Add support for Newport CONEX motor drivers
    - LP: #1186572
  * btrfs: don't stop searching after encountering the wrong item
    - LP: #1186572
  * virtio_console: fix uapi header
    - LP: #1186572
  * ARM: plat-orion: Fix num_resources and id for ge10 and ge11
    - LP: #1186572
  * USB: cxacru: potential underflow in cxacru_cm_get_array()
    - LP: #1186572
  * TTY: Fix tty miss restart after we turn off flow-control
    - LP: #1186572
  * sunrpc: clarify comments on rpc_make_runnable
    - LP: #1186572
  * SUNRPC: Prevent an rpc_task wakeup race
    - LP: #1186572
  * perf: net_dropmonitor: Fix trace parameter order
    - LP: #1186572
  * perf: net_dropmonitor: Fix symbol-relative addresses
    - LP: #1186572
  * ACPI / video: Add "Asus UL30A" to ACPI video detect blacklist
    - LP: #1186572
  * fat: fix possible overflow for fat_clusters
    - LP: #1186572
  * wait: fix false timeouts when using wait_event_timeout()
    - LP: #1186572
  * mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
    - LP: #1186572
  * rapidio/tsi721: fix bug in MSI interrupt handling
    - LP: #1186572
  * Fix for rapidio-tsi721-fix-bug-in-MSI-interrupt-handling
  * mm compaction: fix of improper cache flush in migration code
    - LP: #1186572
  * mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    - LP: #1186572
  * drivers/block/brd.c: fix brd_lookup_page() race
    - LP: #1186572
  * nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary
    - LP: #1186572
  * random: fix accounting race condition with lockless irq entropy_count
    update
    - LP: #1186572
  * ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in
    ocfs2_fiemap()
    - LP: #1186572
  * mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas
    - LP: #1186572
  * xhci: Don't warn on empty ring for suspended devices.
    - LP: #1186572
  * sched/debug: Limit sd->*_idx range on sysctl
    - LP: #1186572
  * sched/debug: Fix sd->*_idx limit range avoiding overflow
    - LP: #1186572
  * ipvs: ip_vs_sip_fill_param() BUG: bad check of return value
    - LP: #1186572
  * pch_dma: Use GFP_ATOMIC because called from interrupt context
    - LP: #1186572
  * drbd: fix for deadlock when using automatic split-brain-recovery
    - LP: #1186572
  * x86, efivars: firmware bug workarounds should be in platform code
    - LP: #1186572
  * efi: Export efi_query_variable_store() for efivars.ko
    - LP: #1186572
  * x86,efi: Check max_size only if it is non-zero.
    - LP: #1186572
  * x86,efi: Implement efi_no_storage_paranoia parameter
    - LP: #1186572
  * tcp: force a dst refcount when prequeue packet
    - LP: #1186572
  * 3c509.c: call SET_NETDEV_DEV for all device types (ISA/ISAPnP/EISA)
    - LP: #1186572
  * net_sched: act_ipt forward compat with xtables
    - LP: #1186572
  * bridge: fix race with topology change timer
    - LP: #1186572
  * packet: tpacket_v3: do not trigger bug() on wrong header status
    - LP: #1186572
  * 3c59x: fix freeing nonexistent resource on driver unload
    - LP: #1186572
  * 3c59x: fix PCI resource management
    - LP: #1186572
  * if_cablemodem.h: Add parenthesis around ioctl macros
    - LP: #1186572
  * macvlan: fix passthru mode race between dev removal and rx path
    - LP: #1186572
  * ipv6: do not clear pinet6 field
    - LP: #1186572
  * xfrm6: release dev before returning error
    - LP: #1186572
  * drivers/rtc/rtc-pcf2123.c: fix error return code in pcf2123_probe()
    - LP: #1186572
  * mantis: fix silly crash case
    - LP: #1186572
  * staging: comedi: prevent auto-unconfig of manually configured devices
    - LP: #1186572
  * um: Serve io_remap_pfn_range()
    - LP: #1186572
  * Linux 3.2.46
    - LP: #1186572

linux (3.2.0-46.71) precise; urgency=low

[Steve Conklin]

* Release Tracking Bug
    - LP: #1186317

[ Upstream Kernel Changes ]

* xen: implement apic ipi interface
    - LP: #1168350
  * crypto: algif - suppress sending source address information in recvmsg
    - LP: #1172363
    - CVE-2013-3076
  * ax25: fix info leak via msg_name in ax25_recvmsg()
    - LP: #1172366
    - CVE-2013-3223
  * Bluetooth: fix possible info leak in bt_sock_recvmsg()
    - LP: #1172368
    - CVE-2013-3224
  * tipc: fix info leaks via msg_name in recv_msg/recv_stream
    - LP: #1172403
    - CVE-2013-3235
  * rose: fix info leak via msg_name in rose_recvmsg()
    - LP: #1172394
    - CVE-2013-3234
  * Bluetooth: RFCOMM - Fix missing msg_namelen update in
    rfcomm_sock_recvmsg()
    - LP: #1172369
    - CVE-2013-3225
  * atm: update msg_namelen in vcc_recvmsg()
    - LP: #1172365
    - CVE-2013-3222
  * aio: fix possible invalid memory access when DEBUG is enabled
    - LP: #1186055
  * tracing: Use stack of calling function for stack tracer
    - LP: #1186055
  * tracing: Fix stack tracer with fentry use
    - LP: #1186055
  * tracing: Remove most or all of stack tracer stack size from
    stack_max_size
    - LP: #1186055
  * tracing: Fix ftrace_dump()
    - LP: #1186055
  * Wrong asm register contraints in the futex implementation
    - LP: #1186055
  * Wrong asm register contraints in the kvm implementation
    - LP: #1186055
  * cgroup: fix an off-by-one bug which may trigger BUG_ON()
    - LP: #1186055
  * PCI / ACPI: Don't query OSC support with all possible controls
    - LP: #1186055
  * drm/radeon: don't use get_engine_clock() on APUs
    - LP: #1186055
  * drm/radeon: use frac fb div on RS780/RS880
    - LP: #1186055
  * Fix initialization of CMCI/CMCP interrupts
    - LP: #1186055
  * sysfs: fix use after free in case of concurrent read/write and readdir
    - LP: #1186055
  * usb/misc/appledisplay: Add 24" LED Cinema display
    - LP: #1186055
  * nfsd: don't run get_file if nfs4_preprocess_stateid_op return error
    - LP: #1186055
  * ext4/jbd2: don't wait (forever) for stale tid caused by wraparound
    - LP: #1186055
  * jbd2: fix race between jbd2_journal_remove_checkpoint and
    ->j_commit_callback
    - LP: #1186055
  * drm/i915: Add no-lvds quirk for Fujitsu Esprimo Q900
    - LP: #1186055
  * USB: add ftdi_sio USB ID for GDM Boost V1.x
    - LP: #1186055
  * hrtimer: Add expiry time overflow check in hrtimer_interrupt
    - LP: #1186055
  * hrtimer: Fix ktime_add_ns() overflow on 32bit architectures
    - LP: #1186055
  * nfsd4: don't close read-write opens too soon
    - LP: #1186055
  * tracing: Fix off-by-one on allocating stat->pages
    - LP: #1186055
  * USB: option: add a D-Link DWM-156 variant
    - LP: #1186055
  * tracing: Reset ftrace_graph_filter_enabled if count is zero
    - LP: #1186055
  * tracing: Check return value of tracing_init_dentry()
    - LP: #1186055
  * ALSA: usb: Add quirk for 192KHz recording on E-Mu devices
    - LP: #1186055
  * ALSA: usb-audio: disable autopm for MIDI devices
    - LP: #1186055
  * drm/radeon/evergreen+: don't enable HPD interrupts on eDP/LVDS
    - LP: #1186055
  * drm/radeon: cleanup properly if mmio mapping fails
    - LP: #1186055
  * serial_core.c: add put_device() after device_find_child()
    - LP: #1186055
  * PCI/PM: Fix fallback to PCI_D0 in pci_platform_power_transition()
    - LP: #1186055
  * wireless: regulatory: fix channel disabling race condition
    - LP: #1186055
  * xen/smp: Fix leakage of timer interrupt line for every CPU
    online/offline.
    - LP: #1186055
  * xen/smp/spinlock: Fix leakage of the spinlock interrupt line for every
    CPU online/offline
    - LP: #1186055
  * xen/time: Fix kasprintf splat when allocating timer%d IRQ line.
    - LP: #1186055
  * ASoC: max98088: Fix logging of hardware revision.
    - LP: #1186055
  * usbfs: Always allow ctrl requests with USB_RECIP_ENDPOINT on the ctrl
    ep
    - LP: #1186055
  * drm/i915: Workaround incoherence between fences and LLC across multiple
    CPUs
    - LP: #1186055
  * drm/i915: ensure single initialization and cleanup of backlight device
    - LP: #1186055
  * iwlwifi: dvm: don't send zeroed LQ cmd
    - LP: #1186055
  * drm/i915: Fall back to bit banging mode for DVO transmitter detection
    - LP: #1186055
  * LOCKD: Ensure that nlmclnt_block resets block->b_status after a server
    reboot
    - LP: #1186055
  * ext4: fix Kconfig documentation for CONFIG_EXT4_DEBUG
    - LP: #1186055
  * drm/radeon: fix hdmi mode enable on RS600/RS690/RS740
    - LP: #1186055
  * USB: ftdi_sio: correct ST Micro Connect Lite PIDs
    - LP: #1186055
  * USB: serial: option: Added support Olivetti Olicard 145
    - LP: #1186055
  * usb-storage: CY7C68300A chips do not support Cypress ATACB
    - LP: #1186055
  * i2c: xiic: must always write 16-bit words to TX_FIFO
    - LP: #1186055
  * nfsd: Decode and send 64bit time values
    - LP: #1186055
  * fbcon: when font is freed, clear also vc_font.data
    - LP: #1186055
  * powerpc/spufs: Initialise inode->i_ino in spufs_new_inode()
    - LP: #1186055
  * USB: ftdi_sio: enable two UART ports on ST Microconnect Lite
    - LP: #1186055
  * ALSA: snd-usb: try harder to find USB_DT_CS_ENDPOINT
    - LP: #1186055
  * gianfar: do not advertise any alarm capability.
    - LP: #1186055
  * ALSA: usb-audio: Fix autopm error during probing
    - LP: #1186055
  * clockevents: Set dummy handler on CPU_DEAD shutdown
    - LP: #1186055
  * ixgbe: fix EICR write in ixgbe_msix_other
    - LP: #1186055
  * powerpc: Add isync to copy_and_flush
    - LP: #1186055
  * s390/memory hotplug: prevent offline of active memory increments
    - LP: #1186055
  * mwifiex: Use pci_release_region() instead of a pci_release_regions()
    - LP: #1186055
  * mwifiex: Call pci_release_region after calling pci_disable_device
    - LP: #1186055
  * ARM: u300: fix ages old copy/paste bug
    - LP: #1186055
  * fs/fscache/stats.c: fix memory leak
    - LP: #1186055
  * drivers/rtc/rtc-cmos.c: don't disable hpet emulation on suspend
    - LP: #1186055
  * md: bad block list should default to disabled.
    - LP: #1186055
  * inotify: invalid mask should return a error number but not set it
    - LP: #1186055
  * fs/dcache.c: add cond_resched() to shrink_dcache_parent()
    - LP: #1186055
  * ipc: sysv shared memory limited to 8TiB
    - LP: #1186055
  * drm/radeon: fix endian bugs in atom_allocate_fb_scratch()
    - LP: #1186055
  * drm/radeon: fix possible segfault when parsing pm tables
    - LP: #1186055
  * drm/radeon: fix handling of v6 power tables
    - LP: #1186055
  * TTY: do not update atime/mtime on read/write
    - LP: #1186055
  * TTY: fix atime/mtime regression
    - LP: #1186055
  * tty: fix up atime/mtime mess, take three
    - LP: #1186055
  * perf: Fix error return code
    - LP: #1186055
  * perf/x86: Fix offcore_rsp valid mask for SNB/IVB
    - LP: #1186055
  * s390: move dummy io_remap_pfn_range() to asm/pgtable.h
    - LP: #1186055
  * vm: add vm_iomap_memory() helper function
    - LP: #1186055
  * vm: convert snd_pcm_lib_mmap_iomem() to vm_iomap_memory() helper
    - LP: #1186055
  * vm: convert fb_mmap to vm_iomap_memory() helper
    - LP: #1186055
  * vm: convert HPET mmap to vm_iomap_memory() helper
    - LP: #1186055
  * cbq: incorrect processing of high limits
    - LP: #1186055
  * net IPv6 : Fix broken IPv6 routing table after loopback down-up
    - LP: #1186055
  * net: count hw_addr syncs so that unsync works properly.
    - LP: #1186055
  * atl1e: limit gso segment size to prevent generation of wrong ip length
    fields
    - LP: #1186055
  * bonding: fix bonding_masters race condition in bond unloading
    - LP: #1186055
  * bonding: IFF_BONDING is not stripped on enslave failure
    - LP: #1186055
  * af_unix: If we don't care about credentials coallesce all messages
    - LP: #1186055
  * netfilter: don't reset nf_trace in nf_reset()
    - LP: #1186055
  * rtnetlink: Call nlmsg_parse() with correct header length
    - LP: #1186055
  * tcp: incoming connections might use wrong route under synflood
    - LP: #1186055
  * esp4: fix error return code in esp_output()
    - LP: #1186055
  * net: sctp: sctp_auth_key_put: use kzfree instead of kfree
    - LP: #1186055
  * tcp: call tcp_replace_ts_recent() from tcp_ack()
    - LP: #1186055
  * caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
    - LP: #1186055
  * irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
    - LP: #1186055
  * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
    - LP: #1186055
  * llc: Fix missing msg_namelen update in llc_ui_recvmsg()
    - LP: #1186055
  * netrom: fix info leak via msg_name in nr_recvmsg()
    - LP: #1186055
  * netrom: fix invalid use of sizeof in nr_recvmsg()
    - LP: #1186055
  * net: drop dst before queueing fragments
    - LP: #1186055
  * sparc64: Fix race in TLB batch processing.
    - LP: #1186055
  * r8169: fix 8168evl frame padding.
    - LP: #1186055
  * drm/i915: Fix detection of base of stolen memory
    - LP: #1186055
  * ixgbe: add missing rtnl_lock in PM resume path
    - LP: #1186055
  * kernel/audit_tree.c: tree will leak memory when failure occurs in
    audit_trim_trees()
    - LP: #1186055
  * powerpc: fix numa distance for form0 device tree
    - LP: #1186055
  * r8169: fix vlan tag read ordering.
    - LP: #1186055
  * x86/mm: account for PGDIR_SIZE alignment
    - LP: #1186055
  * Linux 3.2.45
    - LP: #1186055
 -- Steve Conklin <sconklin@canonical.com>   Thu, 06 Jun 2013 09:22:00 -0500

Changed in linux (Ubuntu Precise):
status:	Fix Committed → Fix Released

Revision history for this message

Adam Conrad (adconrad) wrote on 2013-06-13: Update Released

#20

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

apport.linux-image-3.2.0-40-virtual.9wl95P.apport Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

arch_trigger_all_cpu_backtrace() results in Oops on virtualized guest

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package